Data Privacy in the Enterprise
In this last chapter, we will equip you with practical information to help you elevate your enterprise data protection and privacy plan by covering the following topics:
How Can You Ensure Data Privacy?
The following best practices and methods have proved to be instrumental for enterprises looking to protect and maintain data privacy and confidentiality:
- Do not collect customer information you do not need or intend to use. Make sure the different stakeholders are conscious of the associated responsibility that comes with collecting and retaining personal information. If there is no business reason for collecting social security numbers or customer phone numbers, it is better to keep the information out of harm’s way.
- Encrypt all sensitive data with strong encryption methods. Remember that your system is only as strong as your weakest link (or encryption method).
- Train your employees, especially if you’re operating in a highly sensitive industry (i.e. healthcare), make sure they understand the importance of customer privacy and confidentiality and the associated regulations to the industry you operate in (i.e. HIPAA – Health Insurance Portability and Accountability Act)
What Is a Privacy Plan?
NIST defines a privacy plan as a “formal document that provides an overview of the privacy requirements for an information system or program and describes the privacy controls in place or planned for meeting those requirements. The privacy plan may be integrated into the organizational security plan or developed as a separate plan.”
Source(s):NIST SP 800-53A Rev. 4 under Privacy Plan
Who Is Responsible for Data Privacy?
- The ultimate authority on privacy in the enterprise is the Data Privacy Officer (DPO) who should have a comprehensive perspective of all privacy aspects.
- The enterprise Chief Information Security Officer (CISO), equipped with the tools, knowledge,, and resources, will own the implementation of the technical aspects of the privacy program. In certain cases the CISO acts as a DPO. It is important to mention that many data privacy requirements eventually funnel into data engineering teams who own the data platforms in the enterprise and are tasked with technical implementation.
Which Tools Can Implement Data Privacy Regulations?
There is a variety of tools and categories an enterprise should consider when implementing data privacy regulations:
- Data Access Control Platform (Satori)
- Cloud Access Security Broker (CASB)
- Data Loss Prevention (DLP)
- Endpoint Protection
- Mobile Device Management (MDM)
- Encryption Software
- Identity and Access Management (IAM)
- Consent Management Applications
- Compliance Software
- Customer Data Management Platforms (CDM)
- Data Backup and Recovery Solutions
- Enterprise Content Management (ECM)
These tools can cover a very wide array of cases and requirements. Therefore, in order to avoid an excessive data privacy program, implementation should be based on the privacy requirements as defined in your privacy plan.
How Does Storing Data in the Cloud Affect Compliance with Data Privacy Laws?
In short, storing data in the cloud does not affect compliance with data protection laws, as the overall responsibility is on the data controller. Even if the enterprise uses best of breed cloud service providers, it’s the enterprise’s responsibility to verify data is handled according to relevant data protection laws and regulations. It falls under the data controller’s ownership to verify that the cloud provider processes personal data in a secure manner and ensure, for example, that data is not transferable outside of specific regional boundaries (i.e EU borders for GDPR).
It is important to establish a responsibility level with your cloud providers in regards to data security and continuity and agree, in advance, on compensation in the unfortunate event of a data leak.